I'm going to ask around; this isn't making sense to me. -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Wednesday, October 15, 2008 4:39 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on SCCM Agent Hi Jim, Let me elaborate... The article is a little vague and doesn't cover the exact issue as it talks about web publishing certificates, rather than "any" certificates. I think the issue is a little more varied even though the proposed solution works. To repro the issue: Publish something with FBA. Test to see if login delayed (approx 20-30 secs) after clicking "login" button - It shouldn't be Enrol a certificate into ISA local computer cert store with client auth purpose. Test to see if login delayed (approx 20-30 secs) after clicking "login" button - It shouldn't be Enable change password feature on web listener. Test to see if login delayed (approx 20-30 secs) after clicking "login" button - It *should* be - Problem created! Reconfigure certificate to remove the client auth purpose (may also have to do the same on DC certs) Test to see if login delayed (approx 20-30 secs) after clicking "login" button - It *shouldn't* be - Problem fixed! I've had this happen with a few customers now and the client purpose fix always works, however this is the first occurrence of actually needing a client auth cert on an ISA server for mutual TLS. Cheers JJ -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: 16 October 2008 00:23 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on SCCM Agent Actually, haven't had a chance to play with it; the multi-cert issue seems odd to me. I guess CAPI grabs the first cert it can find regardless of OID?!? -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Wednesday, October 15, 2008 1:30 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on SCCM Agent I assume from the silence that you guys don't believe me or have ran out of ideas? :-P -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: 10 October 2008 21:02 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: ISA Server Slow FBA Login Issue and Solution Impact on SCCM Agent I'm cornfussed; if the ISA is not allowed to possess the private key for the multi-purpose certificate, how is it able to use that cert for server authentication? Yes; you could use separate certificates, since CAPI will choose the certificate best suited to the conversation. -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Friday, October 10, 2008 5:25 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] ISA Server Slow FBA Login Issue and Solution Impact on SCCM Agent Hi All, An issue exits with ISA2k6 FBA as follows: "Client logon is slow and server certificates used for Web publishing are configured with the default purpose settings "Server Authentication" and "Client Authentication" Issue: When Windows Server 2003 detects the default purpose setting of "Client Authentication", the operating system attempts to perform TLS with mutual authentication to the domain controller. The mutual authentication process requires ISA Server to have access to the private key of the server certificate with the "Client Authentication" setting enabled, and ISA Server does not (and should not) have this access. Solution: Ensure that all server certificates do not have the default "Client Authentication" purpose enabled. You can disable this setting on the property pages of the relevant server certificate as follows..." http://technet.microsoft.com/en-us/library/cc514301.aspx Based upon this solution (which works very well!) I have come up against a scenario where we have a customer that needs to "manage" ISA using System Centre Configuration Manager (SCCM) but this requires a certificate to be installed that supports the Client Authentication purpose in order to meet the SCCM mutual TLS design. So, if the client auth purpose is enabled, FBA login is painfully slow; if the client auth purpose is disabled, the SCCM agent cannot provide mutual TLS and subsequently cannot communicate with the SCCM server. Can anyone think of a way around this? Cheers JJ ________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393. This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393. This email and any files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you have received this email in error, or if you believe this email is unsolicited and wish to be removed from any future mailings, please contact our Support Desk immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx If this email contains a quotation then unless otherwise stated it is valid for 7 days and offered subject to Silversands Professional Services Terms and Conditions, a copy of which is available on request. Any pricing information, design information or information concerning specific Silversands' staff contained in this email is considered confidential or of commercial interest and exempt from the Freedom of Information Act 2000. Any view or opinions presented are solely those of the author and do not necessarily represent those of Silversands Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX. Company Registration Number : 2141393.